Gallagher Re publishes report on ‘Gray Rhino’ cyber cat risk

A new cyber catastrophe risk paper from Gallagher Re draws on a literary metaphor from a US author, suggesting the risk of a cyber cat is akin to a ‘Gray Rhino’: an obvious disaster waiting to happen but still ignored.

Cyber insurance is an evolving, rapidly growing market but it has never had to deal with such an event, which makes a cyber cat inherently difficult to model and price, the reinsurance broker argued.

The industry is hampered by a lack of tangible scenario data points, inconsistent or non-existent cyber catastrophe claims coding frameworks, and an overarching high level of uncertainty, according to Gallagher Re.

The The Risk of a Cyber Catastrophe is the third paper in the Gallagher Re ‘Gray Rhino research series’.

The paper discusses the relative infancy of cyber modelling and how the re/insurance sector is managing its exposures.

It also addresses a “reluctance from capital providers to offer cost-effective and systemic solutions that address carriers’ true fear of the unknown”.

Key takeaways

• Business and insurance sector leaders are concerned about the prospect of a large-scale, systemic cyber-attack—a “cyber catastrophe” risk.
• Cyber insurance is an evolving, rapidly growing market, but it has never had to deal with such a catastrophe. By comparison to markets in natural catastrophe risk, where disasters like hurricanes, wildfires, tornados and floods are regular occurrences, this makes a cyber cat event inherently difficult to model and price. The industry is hampered by a lack of tangible scenario data points, inconsistent or non-existent cyber catastrophe claims coding frameworks and an overarching high level of uncertainty.
• Cyber modelling remains in its relative infancy. There is substantial divergence in the modelling of larger scenarios, which does not inspire confidence among capital providers.
• In response, the (re)insurance sector is managing its exposures through appetite, pricing, tighter wordings and exclusions.
• Meanwhile, demand for cyber insurance continues to grow, and following triple-digit rate rises in the past three years, insurers can have more confidence they are pricing the risk correctly. But while the supply of capital is increasing in parts of the market, there remains a reluctance from capital providers to offer cost-effective and systemic solutions that solve for carriers’ true fear of the unknown.
• Corporates are also seeking routes to mitigate their risks. The cybersecurity industry has made considerable progress since 2017’s NotPetya attack in reducing vulnerability to attacks. New developments, such as the rise of artificial intelligence and the creation of new cybersecurity tools offer the prospect of better risk management. However, in the wrong hands, they could also pose questions for US and international security frameworks—keeping the market in a state of flux.
• Model providers are investing in improving their capabilities, but the (re)insurance industry will require more and better data from insured clients on their cyber vulnerabilities and loss experience to improve models—and hence—pricing.
• This may enable more granular coverage, for example, by differentiating between large corporations and SMEs—the former vulnerable to targeted attacks, while the latter want to insure their exposure to a longer-tail, system-wide event.